sub-processor-management

Installation
SKILL.md

Sub-Processor Management

Overview

GDPR Article 28(2) establishes that a processor shall not engage another processor (sub-processor) without prior specific or general written authorisation of the controller. Where general authorisation is granted, the processor must inform the controller of any intended changes concerning the addition or replacement of sub-processors, giving the controller the opportunity to object. This creates an ongoing management obligation that extends through the entire processing chain.

The EDPB Guidelines 07/2020 (paragraph 93) emphasize that the controller's Article 28(1) due diligence obligation extends to oversight of sub-processor arrangements, and that the processor remains fully liable for the sub-processor's compliance.

At Summit Cloud Partners, the Sub-Processor Management Program ensures visibility and control over the entire processing chain for all vendor relationships involving personal data.

Authorization Models

Model A: Prior Specific Authorization

Under this model, the controller individually approves each sub-processor before engagement.

Installs
10
GitHub Stars
187
First Seen
May 12, 2026
sub-processor-management — mukul975/privacy-data-protection-skills